Modern web applications comprise a conglomeration of JavaScript from
multiple authors: third-party libraries included by a site's developer,
site-specific scripts by the site developer herself, and third-party
extensions installed in the browser by the user. Recent years have seen
the continual discovery of practical attacks on web users'
privacy---from the leaking of sensitive data within pages by malicious
third-party library code, to similar leaks by malicious browser
extensions, to more subtle leaks, such as those via image resources.
Fundamentally, these privacy violations occur because today's web
browsers lack sufficient mechanisms for confining untrusted code. We
present SWAPI, a simple but powerful approach to robust confinement of
JavaScript in modern web browsers. SWAPI prevents malicious third-party
libraries from violating users' privacy. It provides safety to Mashup
web applications that previously posed an inherent risk to user data
confidentiality. SWAPI's flexible confinement mechanisms furthermore
obviate much of the need for privilege in browser extensions, permitting
many of today's extensions to be realized instead as untrusted web
pages. SWAPI has been implemented in both Firefox and Chromium;
measurements of both browsers demonstrate a virtually imperceptible
increase in page-load latency.

Bio:

Deian Stefan is a fourth year Ph.D. student in the Computer Science, at
Stanford University. His research interests are in computer and web
security, with specific attention to language-based and library-based
approaches to enforcing information flow control.